Verifying identity via keystroke characteristics
International Journal of Man-Machine Studies
Generating representative Web workloads for network and server performance evaluation
SIGMETRICS '98/PERFORMANCE '98 Proceedings of the 1998 ACM SIGMETRICS joint international conference on Measurement and modeling of computer systems
User authentication through keystroke dynamics
ACM Transactions on Information and System Security (TISSEC)
Rapid model parameterization from traffic measurements
ACM Transactions on Modeling and Computer Simulation (TOMACS)
Toward Speech-Generated Cryptographic Keys on Resource-Constrained Devices
Proceedings of the 11th USENIX Security Symposium
Typing Patterns: A Key to User Identification
IEEE Security and Privacy
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Biometric authentication revisited: understanding the impact of wolves in sheep's clothing
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Detecting change in data streams
VLDB '04 Proceedings of the Thirtieth international conference on Very large data bases - Volume 30
Towards practical biometric key generation with randomized biometric templates
Proceedings of the 15th ACM conference on Computer and communications security
Robust techniques for evaluating biometric cryptographic key generators
Robust techniques for evaluating biometric cryptographic key generators
Bootstrapping trust in a "trusted" platform
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
The practical subtleties of biometric key generation
SS'08 Proceedings of the 17th conference on Security symposium
Attacking the BitLocker Boot Process
Trust '09 Proceedings of the 2nd International Conference on Trusted Computing
Not-a-Bot: improving service availability in the face of botnet attacks
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Testing metrics for password creation policies by attacking large sets of revealed passwords
Proceedings of the 17th ACM conference on Computer and communications security
On the discriminability of keystroke feature vectors used in fixed text keystroke authentication
Pattern Recognition Letters
Should security researchers experiment more and draw more inferences?
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
Using global knowledge of users' typing traits to attack keystroke biometrics templates
Proceedings of the thirteenth ACM multimedia workshop on Multimedia and security
A parallel decision tree-based method for user authentication based on keystroke patterns
IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics
Forgery Quality and Its Implications for Behavioral Biometric Security
IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics
When kids' toys breach mobile phone security
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
| Hi-index | 0.00 |
Research on keystroke-based authentication has traditionally assumed human impostors who generate forgeries by physically typing on the keyboard. With bots now well understood to have the capacity to originate precisely timed keystroke sequences, this model of attack is likely to underestimate the threat facing a keystroke-based system in practice. In this work, we investigate how a keystroke-based authentication system would perform if it were subjected to synthetic attacks designed to mimic the typical user. To implement the attacks, we perform a rigorous statistical analysis on keystroke biometrics data collected over a 2-year period from more than 3000 users, and then use the observed statistical traits to design and launch algorithmic attacks against three state-of-the-art password-based keystroke verification systems. Relative to the zero-effort attacks typically used to test the performance of keystroke biometric systems, we show that our algorithmic attack increases the mean Equal Error Rates (EERs) of three high performance keystroke verifiers by between 28.6% and 84.4%. We also find that the impact of the attack is more pronounced when the keystroke profiles subjected to the attack are based on shorter strings, and that some users see considerably greater performance degradation under the attack than others. This article calls for a shift from the traditional zero-effort approach of testing the performance of password-based keystroke verifiers, to a more rigorous algorithmic approach that captures the threat posed by today’s bots.